Need Information

README.md

@@ -1,50 +1,72 @@
-Community Repository
-====================
+# <a name="mbc"></a>Cuckoo Community Signature-MBC Mappings #
 
-This is an open repository dedicated to **contributions from the commmunity**.
-Here you are able to submit the custom modules that you wrote for your Cuckoo
-Sandbox setup and that you want to share with the rest of the community.
+The MBC team has mapped [Cuckoo community signatures](https://github.com/cuckoosandbox/community) into MBC. Of the 565 signatures available, 313 have been mapped into MBC (the others are anti-virus related signatures that identify specific threats). Prior to this MBC-oriented mapping, 165 of the signatures were mapped into ATT&CK. We added new signatures, which was possible because MBC includes malware-related behaviors that ATT&CK doesn't. We also used MBC's malware-focused content to revise and/or extend the existing ATT&CK mappings.
 
-We believe that there's high value and potential in the malware research
-community to be more transparent and cooperative and this wants to be an
-initiative to support it.
+|Description|Number|
+|-----------|------|
+|New mappings|148|
+|Updated mappings|83|
+|Extended mappings|21|
+|Unchanged mappings|61|
+|**TOTAL MAPPINGS**|**313**|
 
-We have recently started a [changelog](CHANGELOG.md) with documentation on
-recent changes. We expect this to grow overtime!
+Below, we explain how these signatures are used. We begin with an example Python signature and then show example Cuckoo report output. We conclude with information on using the signature repository.
 
-How to use it
--------------
+Example Cuckoo Signature
+------------------------
 
-You will find that all the directories here share the same structure of our
-latest Cuckoo Sandbox release. Potentially you could just download the whole
-repository and extract it in Cuckoo's root directory, but we suggest you to
-manually take care of copying just the modules you are interested in.
+This signature example (antisandbox_sleep.py) was not mapped to an ATT&CK technique. We map it to **Dynamic Analysis Evasion::Delayed Execution [B0003.003]** as shown below (see the ttp variable).
 
-Cuckoo also provides an utility to automatically download and install
-latest modules. You can do so by running the `cuckoo community` command.
+```python
+from lib.cuckoo.common.abstracts import Signature
+
+class AntiSandboxSleep(Signature):
+    name = "antisandbox_sleep"
+    description = "A process attempted to delay the analysis task."
+    severity = 2
+    categories = ["anti-sandbox"]
+    authors = ["KillerInstinct"]
+    minimum = "2.0"
+    ttp = ["B0003.003"]
+    ...
+```
 
-Being a community-driven repository we, as the Cuckoo Sandbox developers,
-do not take any responsibility for the validity of the code submitted.
-We will try to keep this place in order, but we can't guarantee the
-quality of the modules here available and therefore do not provide any
-assistance on eventual malfunctions.
+Cuckoo Reports
+--------------
 
-Contributing
-------------
+The signature section of a Cuckoo report specifies associated MBC behavior as shown in the example below (Dynamic Analysis Evasion [B0003.003] behavior is shown).
 
-If you have one or more Signatures you'd like to share, please make a pull
-request and we'll take care of it eventually.
+```json
+{
+  "signatures": [
+    {
+      "families": [],
+      "description": "A process attempted to delay the analysis task.",
+      "severity": 1,
+      "ttp": {
+        "B0003.003": {
+          "short": "Dynamic Analysis Evasion",
+          "long": "Malware may obstruct dynamic analysis in a sandbox, emulator, or virtual <snip>"
+        }
+      },
+      "markcount": 1,
+      "references": "...",
+      "marks": "...",
+      "name": "antisandbox_sleep"
+    }
+  ]
+}
+```
 
-Before submitting your request make sure that:
-* You take a look at the [community guidelines](https://cuckoo.sh/docs/introduction/community.html)
-* Your code is working.
-* Your code is unique: don't reinvent the wheel and check whether someone already provided a similar solution.
-* Your code is relevant to the project and actually adds some value.
-* Your code is placed in the correct directory.
+How to Use the Repository
+-------------------------
 
-There are many factors that make it easier for us to merge your pull request.
-Inclusion of `sample hashes`, before and after results, and tested
-environment(s) really help us with evaluating your potential contributions,
-and as such make the merge it more quickly.
+The [Cuckoo community repository](https://github.com/cuckoosandbox/community) is open and dedicated to contributions from the commmunity.
+Users can submit custom modules for sharing with the rest of the community.
 
-We take the discretion to approve or reject submissions at our will.
+All the directories here share the same structure as the
+latest Cuckoo Sandbox release. While it's possible to download the whole
+repository and extract it in Cuckoo's root directory, it is suggested that only the modules of interest are copied.
+
+Cuckoo also provides an utility to automatically download and install
+latest modules. You can do so by running the `cuckoo community` command.

modules/signatures/android/android_dangerous_permissions.py

@@ -11,6 +11,7 @@ class AndroidDangerousPermissions(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["E1478"]
 
     def on_complete(self):
         manifest = self.get_results("apkinfo", {}).get("manifest", {})

modules/signatures/android/android_dynamic_code.py

@@ -11,6 +11,7 @@ class AndroidDynamicCode(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["T1129"]
 
     def on_complete(self):
         if self.get_apkinfo("static_method_calls").get("is_dynamic_code"):

modules/signatures/android/android_native_code.py

@@ -11,6 +11,7 @@ class AndroidNativeCode(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["E1203"]
 
     def on_complete(self):
         if self.get_apkinfo("static_method_calls").get("is_native_code"):

modules/signatures/android/android_reflection_code.py

@@ -11,6 +11,7 @@ class AndroidReflectionCode(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["B0032"]
 
     def on_complete(self):
         if self.get_apkinfo("static_method_calls").get("is_reflection_code"):

modules/signatures/android/application_aborted_broadcast_receiver.py

@@ -11,6 +11,7 @@ class AndroidAbortBroadcast(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["F0006"]
 
     def on_complete(self):
         if "abortBroadcast" in self.get_droidmon("events", []):

modules/signatures/android/application_deleted_app.py

@@ -11,6 +11,7 @@ class AndroidDeletedApp(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["E1485.m03"]
 
     def on_complete(self):
         if "android/app/ApplicationPackageManager->deletePackage" in self.get_droidmon():

modules/signatures/android/application_executed_shell_command.py

@@ -11,6 +11,7 @@ class AndroidShellCommands(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["E1059"]
 
     def on_complete(self):
         if self.get_droidmon("commands", []):

modules/signatures/android/application_installed_app.py

@@ -11,6 +11,7 @@ class AndroidInstalledApps(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["B0023"]
 
     def on_complete(self):
         if "android/app/ApplicationPackageManager->installPackage" in self.get_droidmon():

modules/signatures/android/application_queried_account_info.py

@@ -11,6 +11,7 @@ class AndroidAccountInfo(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["T1087"]
 
     def on_complete(self):
         if "getAccounts" in self.get_droidmon("data_leak"):

modules/signatures/android/application_queried_installed_apps.py

@@ -11,6 +11,7 @@ class AndroidAppInfo(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["T1518"]
 
     def on_complete(self):
         if "getInstalledPackages" in self.get_droidmon("data_leak"):

modules/signatures/android/application_queried_phone_number.py

@@ -11,6 +11,7 @@ class AndroidPhoneNumber(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["T1082"]
 
     def on_complete(self):
         if "getLine1Number" in self.get_droidmon("fingerprint"):

modules/signatures/android/application_queried_private_information.py

@@ -11,6 +11,7 @@ class AndroidPrivateInfoQuery(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["T1409"]
 
     def on_complete(self):
         if "ContentResolver_queries" in self.get_droidmon():

modules/signatures/android/application_recording_audio.py

@@ -11,6 +11,7 @@ class AndroidAudio(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["T1123"]
 
     def on_complete(self):
         if "mediaRecorder" in self.get_droidmon("events"):

modules/signatures/android/application_registered_receiver_runtime.py

@@ -11,6 +11,7 @@ class AndroidRegisteredReceiver(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["E1203"]
 
     def on_complete(self):
         if "registered_receivers" in self.get_droidmon():

modules/signatures/android/application_sent_sms_messages.py

@@ -11,6 +11,7 @@ class AndroidSMS(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["E1472"]
 
     def on_complete(self):
         if "sms" in self.get_droidmon():

modules/signatures/android/application_stopped_processes.py

@@ -11,6 +11,7 @@ class AndroidStopProcess(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["T1489"]
 
     def on_complete(self):
         if "killed_process" in self.get_droidmon():

modules/signatures/android/application_uses_location.py

@@ -11,6 +11,7 @@ class ApplicationUsesLocation(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["T1430"]
 
     def on_complete(self):
         if "location" in self.get_droidmon("data_leak"):

modules/signatures/android/application_using_the_camera.py

@@ -11,6 +11,7 @@ class AndroidCamera(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
+    ttp = ["T1429"]
 
     def on_complete(self):
         if "camera" in self.get_droidmon("events"):

modules/signatures/cross/html_flash.py

@@ -17,6 +17,7 @@ class HtmlFlash(Signature):
     categories = ["exploit"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
+    ttp = ["E1203"]
 
     filter_apinames = "CElement_put_innerHTML",
 

modules/signatures/cross/js_eval.py

@@ -11,6 +11,7 @@ class EvalJS(Signature):
     categories = ["unpacking"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
+    ttp = ["T1059.007"]
 
     filter_apinames = "COleScript_Compile",
 

modules/signatures/cross/js_iframe.py

@@ -13,6 +13,7 @@ class JsIframe(Signature):
     categories = ["obfuscation"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
+    ttp = ["T1059"]
 
     filter_apinames = "CIFrameElement_CreateElement",
 

modules/signatures/cross/js_suspicious.py

@@ -13,6 +13,7 @@ class SuspiciousJavascript(Signature):
     categories = ["unpacking"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
+    ttp = ["E1059.007"]
 
     filter_apinames = "COleScript_Compile",
 
@@ -40,6 +41,7 @@ class AntiAnalysisJavascript(Signature):
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
     on_call_dispatch = True
+    ttp = ["B0013", "B0009"]
 
     filter_apinames = "ActiveXObjectFncObj_Construct", "CImgElement_put_src"
 

modules/signatures/darwin/code_injection.py

@@ -15,6 +15,7 @@ class DarwinCodeInjection(Signature):
     categories = ["injection"]
     authors = ["rodionovd"]
     minimum = "2.0"
+    ttp = ["E1055"]
 
     filter_apinames = [
         "task_for_pid",

modules/signatures/darwin/task_for_pid.py

@@ -14,6 +14,7 @@ class TaskForPid(Signature):
     categories = ["injection"]
     authors = ["rodionovd"]
     minimum = "2.0"
+    ttp = ["T1057"]
 
     filter_apinames = ["task_for_pid"]
 

modules/signatures/network/dns_cnc.py

@@ -22,6 +22,7 @@ class NetworkDNSTXTLookup(Signature):
     categories = ["dns", "cnc"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["C0011"]
 
     safelist = [
             "google.com",

modules/signatures/network/dns_tld.py

@@ -12,6 +12,7 @@ class Suspicious_TLD(Signature):
     categories = ["tldwatch", "network"]
     authors = ["RedSocks", "Kevin Ross"]
     minimum = "2.0"
+    ttp = ["C0011.004"]
 
     domains_re = [
         (".*\\.by$", "Belarus domain TLD"),

modules/signatures/network/network_bind.py

@@ -22,6 +22,7 @@ class NetworkBIND(Signature):
     categories = ["bind"]
     authors = ["nex", "Accuvant"]
     minimum = "2.0"
+    ttp = ["C0001.002"]
 
     filter_apinames = "bind", "listen", "accept"
 

modules/signatures/network/network_cnc_http.py

@@ -27,6 +27,7 @@ class NetworkHTTPPOST(Signature):
     categories = ["http", "cnc"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["C0002.005"]
 
     filter_analysistypes = set(["file"])
 
@@ -57,6 +58,7 @@ class NetworkCnCHTTP(Signature):
     categories = ["http", "cnc"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["T1071.001", "B0030"]
 
     filter_analysistypes = set(["file"])
 

modules/signatures/network/network_dyndns.py

@@ -12,6 +12,7 @@ class NetworkDynDNS(Signature):
     categories = ["dyndns"]
     authors = ["RedSocks"]
     minimum = "2.0"
+    ttp = ["C0011.003"]
 
     domains_re = [
         ".*\\.no-ip\\.",

modules/signatures/network/network_http.py

@@ -22,6 +22,7 @@ class NetworkHTTP(Signature):
     categories = ["http"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["C0002.003"]
 
     host_safelist = [
         "www.msftncsi.com"

modules/signatures/network/network_icmp.py

@@ -22,6 +22,7 @@ class NetworkICMP(Signature):
     categories = ["icmp"]
     authors = ["David Maciejak"]
     minimum = "2.0"
+    ttp = ["C0014.001"]
 
     def on_complete(self):
         if self.get_net_icmp():

modules/signatures/network/network_irc.py

@@ -22,6 +22,7 @@ class NetworkIRC(Signature):
     categories = ["irc"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["T1102"]
 
     def on_complete(self):
         if self.get_net_irc():

modules/signatures/network/network_smtp.py

@@ -22,6 +22,7 @@ class NetworkSMTP(Signature):
     categories = ["smtp", "spam"]
     authors = ["nex", "RicoVZ"]
     minimum = "2.0.0"
+    ttp = ["F0012.002"]
 
     def on_complete(self):
         for s in getattr(self, "get_net_smtp_ex", lambda: [])():

modules/signatures/network/network_torgateway.py

@@ -22,6 +22,7 @@ class TorGateway(Signature):
     categories = ["network"]
     authors = ["nex", "Optiv"]
     minimum = "2.0"
+    ttp = ["T1090.003"]
 
     domains_re = [
         ".*\\.tor2web\\.[a-z]{2,20}$",